diff --git a/kubernetes.tf b/kubernetes.tf
index beb6476..355bed7 100644
--- a/kubernetes.tf
+++ b/kubernetes.tf
@@ -203,7 +203,7 @@ resource "openstack_compute_instance_v2" "controller-nodes" {
   name            = "${var.controller_name}-${count.index}.${var.dns_suffix}"
   flavor_name     = "${var.controller_instance_type}"
   key_pair        = "mifr-yubi"
-  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world", "naemon"]
   
 
   block_device {
@@ -226,7 +226,7 @@ resource "openstack_compute_instance_v2" "worker-nodes" {
   name            = "${var.worker_name}-${count.index}.${var.dns_suffix}"
   flavor_name     = "${var.worker_instance_type}"
   key_pair        = "mifr-yubi"
-  security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world", "naemon"]
 
   block_device {
     uuid                  = "5d24aca9-11be-4de1-9770-4a097d68f361"
diff --git a/main.tf b/main.tf
index fcc1ce0..b1759a5 100644
--- a/main.tf
+++ b/main.tf
@@ -13,6 +13,94 @@ required_version = ">= 0.14.0"
 provider "openstack" {
   cloud = "sto4-rut"
 }
+
+resource "openstack_networking_secgroup_v2" "naemon" {
+  name        = "naemon"
+  description = "Rule to allow naemon traffic"
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule1" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule2" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "tcp"
+  port_range_min        = 4317
+  port_range_max        = 4318
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" {
+  direction             = "ingress"
+  ethertype             = "IPv4"
+  protocol              = "icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" {
+  direction             = "ingress"
+  ethertype             = "IPv6"
+  protocol              = "ipv6-icmp"
+  remote_group_id	= openstack_networking_secgroup_v2.naemon.id
+  security_group_id     = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule5" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = "109.105.111.111/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule6" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  remote_ip_prefix  = "2001:948:4:6::111/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule7" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "89.46.21.190/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 5666
+  port_range_max    = 5666
+  remote_ip_prefix  = "2001:6b0:6c::37f/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule9" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "icmp"
+  remote_ip_prefix  = "109.105.111.111/32"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+resource "openstack_networking_secgroup_rule_v2" "naemon_rule10" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "ipv6-icmp"
+  remote_ip_prefix  = "2001:948:4:6::111/128"
+  security_group_id = openstack_networking_secgroup_v2.naemon.id
+}
+
+
 resource "openstack_networking_secgroup_v2" "https" {
   name        = "https"
   description = "Traffic to allow between microk8s hosts"
@@ -53,6 +141,46 @@ resource "openstack_networking_secgroup_rule_v2" "https_rule4" {
   remote_ip_prefix  = "::/0"
   security_group_id = openstack_networking_secgroup_v2.https.id
 }
+resource "openstack_networking_secgroup_v2" "jumphosts" {
+  name        = "Allow SSH from SUNET jumphosts"
+  description = "Traffic to allow ssh access from jumphosts"
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule1" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "130.242.125.68/32"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule2" {
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "130.242.121.73/32"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule3" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "2001:6b0:8:4::68/128"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
+resource "openstack_networking_secgroup_rule_v2" "jumphosts_rule4" {
+  direction         = "ingress"
+  ethertype         = "IPv6"
+  protocol          = "tcp"
+  port_range_min    = 22
+  port_range_max    = 22
+  remote_ip_prefix  = "2001:6b0:7:6::73/128"
+  security_group_id = openstack_networking_secgroup_v2.jumphosts.id
+}
 resource "openstack_compute_instance_v2" "monitor-node" {
   name            = "monitor-1.${var.dns_suffix}"
   flavor_name     = "${var.monitor_instance_type}"
diff --git a/pgcluster.tf b/pgcluster.tf
index 0a5f47a..3117a01 100644
--- a/pgcluster.tf
+++ b/pgcluster.tf
@@ -3,7 +3,7 @@ resource "openstack_compute_instance_v2" "pg-nodes" {
   name            = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}"
   flavor_name     = "${var.pgcluster_instance_type}"
   key_pair        = "mifr-yubi"
-  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "Allow ssh from the world"]
+  security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"]
   
 
   block_device {
diff --git a/vars.tf b/vars.tf
index dac23ab..52fc038 100644
--- a/vars.tf
+++ b/vars.tf
@@ -1,5 +1,5 @@
 variable "worker_instance_count" {
-  default = "10"
+  default = "8"
 }
 variable "controller_instance_count" {
   default = "3"